Presentation on theme: "Chapter 14 Computer Security Threats"— Presentation transcript:
1 Chapter 14 Computer Security Threats Operating Systems: Internals and Design PrinciplesChapter 14 Computer Security Threats“Operating Systems: Internal and Design Principles”, 7/e, by William Stallings, Chapter 14 “Computer Security Threats”.Seventh Edition By William Stallings
2 Operating Systems: Internals and Design Principles The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.— THE ART OF WAR,Sun TzuThis chapter provides an overview of security threats. We begin with a discussion of what we mean by computer security.In essence, computer security deals with computer-related assets that are subject to a variety of threats and for which variousmeasures are taken to protect those assets. The remainder of the chapter looks at the two broad categories of computer andnetwork security threats: intruders and malicious software.Cryptographic algorithms, such as encryption and hash functions, play a roleboth in computer security threats and computer security techniques. Appendix Kprovides an overview of these algorithms.
3 Computer SecurityThe NIST (National Institute of Standards and Technology) Computer Security Handbook defines computer security as:The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).The NIST Computer Security Handbook [NIST95] defines the term computersecurity as follows:Computer security: The protection afforded to an automated information systemin order to attain the applicable objectives of preserving the integrity, availability,and confidentiality of information system resources (includes hardware, software,firmware, information/data, and telecommunications).
4 Key Objectives of Computer Security ConfidentialityData confidentiality assures that private or confidential information is not made available or disclosed to unauthorized individualsPrivacy assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosedIntegrityData integrity assures that information and programs are changed only in a specified and authorized mannerSystem integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the systemAvailabilityassures that systems work promptly and service is not denied to authorized usersThis definition introduces three key objectives that are at the heart of computersecurity:• Confidentiality : This term covers two related concepts:— Data 1 confidentiality: Assures that private or confidential information isnot made available or disclosed to unauthorized individuals— Privacy : Assures that individuals control or influence what informationrelated to them may be collected and stored and by whom and to whomthat information may be disclosed• Integrity : This term covers two related concepts:— Data integrity : Assures that information and programs are changed only ina specified and authorized manner— System integrity : Assures that a system performs its intended function inan unimpaired manner, free from deliberate or inadvertent unauthorizedmanipulation of the system• Availability : Assures that systems work promptly and service is not denied toauthorized users
5 CIA Triad Security Objectives: Confidentiality - a loss of confidentiality is the unauthorized disclosure of informationIntegrity- a loss of integrity is the unauthorized modification or destruction of informationAvailability- a loss of availability is the disruption of access to or use of information or an information systemThese three concepts form what is often referred to as the CIA triad ( Figure 14.1 ).The three concepts embody the fundamental security objectives for both data andfor information and computing services. For example, the NIST standard FIPS 199( Standards for Security Categorization of Federal Information and Information Systems )lists confidentiality, integrity, and availability as the three security objectives for informationand for information systems. FIPS PUB 199 provides a useful characterizationof these three objectives in terms of requirements and the definition of a loss of securityin each category:• Confidentiality: Preserving authorized restrictions on information accessand disclosure, including means for protecting personal privacy and proprietaryinformation. A loss of confidentiality is the unauthorized disclosure ofinformation.• Integrity: Guarding against improper information modification or destruction,including ensuring information nonrepudiation and authenticity. A loss ofintegrity is the unauthorized modification or destruction of information.• Availability: Ensuring timely and reliable access to and use of information.A loss of availability is the disruption of access to or use of information or aninformation system.
6 Additional Concepts Accountability Authenticity Two further concepts are often added to the core of computer security:AccountabilityAuthenticityThe security goal that generates the requirement for actions of an entity to be traced uniquely to that entityWe must be able to trace a security breach to a responsible partySystems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputesThe property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originatorVerifying that users are who they say they are and that each input arriving at the system came from a trusted sourceAlthough the use of the CIA triad to define security objectives is well established,some in the security field feel that additional concepts are needed to presenta complete picture. Two of the most commonly mentioned are as follows:• Authenticity : The property of being genuine and being able to be verified andtrusted; confidence in the validity of a transmission, a message, or messageoriginator. This means verifying that users are who they say they are and thateach input arriving at the system came from a trusted source.• Accountability : The security goal that generates the requirement for actionsof an entity to be traced uniquely to that entity. This supports nonrepudiation,deterrence, fault isolation, intrusion detection and prevention,and after-action recovery and legal action. Because truly secure systemsaren’t yet an achievable goal, we must be able to trace a security breach toa responsible party. Systems must keep records of their activities to permitlater forensic analysis to trace security breaches or to aid in transactiondisputes.Note that FIPS PUB 199 includes authenticity under integrity.
7 Threats & Their Effects Multiple threatening actions generate four types of consequences:Unauthorized disclosureDeceptionDisruptionUsurpation
8 Table 14.1 ----- Unauthorized Disclosure Threat Consequences, and the Types of Threat ActionsThat Cause Each Consequence(Based on RFC 2828)Table 14.1 , based on RFC 2828, describes four kinds of threat consequences andlists the kinds of attacks that result in each consequence.Unauthorized disclosure is a threat to confidentiality. The following types ofattacks can result in this threat consequence:• Exposure : This can be deliberate, as when an insider intentionally releases sensitiveinformation, such as credit card numbers, to an outsider. It can also be theresult of a human, hardware, or software error, which results in an entity gainingunauthorized knowledge of sensitive data. There have been numerous instancesof this, such as universities accidentally posting student confidential informationon the Web.• Interception : Interception is a common attack in the context of communications.On a shared local area network (LAN), such as a wireless LAN or abroadcast Ethernet, any device attached to the LAN can receive a copy ofpackets intended for another device. On the Internet, a determined hackercan gain access to traffic and other data transfers. All of these situationscreate the potential for unauthorized access to data.• Inference: An example of inference is known as traffic analysis, in which anadversary is able to gain information from observing the pattern of traffic ona network, such as the amount of traffic between particular pairs of hosts onthe network. Another example is the inference of detailed information froma database by a user who has only limited access; this is accomplished byrepeated queries whose combined results enable inference.Intrusion : An example of intrusion is an adversary gaining unauthorized accessto sensitive data by overcoming the system’s access control protections.
9 Table DeceptionThreat Consequences, and the Types of Threat ActionsThat Cause Each Consequence(Based on RFC 2828)Deception is a threat to either system integrity or data integrity. The followingtypes of attacks can result in this threat consequence:• Masquerade : One example of masquerade is an attempt by an unauthorizeduser to gain access to a system by posing as an authorized user; thiscould happen if the unauthorized user has learned another user’s logon IDand password. Another example is malicious logic, such as a Trojan horse,that appears to perform a useful or desirable function but actually gainsunauthorized access to system resources or tricks a user into executing othermalicious logic.• Falsification : This refers to the altering or replacing of valid data or the introductionof false data into a file or database. For example, a student may alterhis or her grades on a school database.• Repudiation : In this case, a user either denies sending data or a user deniesreceiving or possessing the data.
10 Table 14.1 ----- Disruption Threat Consequences, and the Types of Threat ActionsThat Cause Each Consequence(Based on RFC 2828)Disruption is a threat to availability or system integrity. The following types ofattacks can result in this threat consequence:• Incapacitation: This is an attack on system availability. This could occur as aresult of physical destruction of or damage to system hardware. More typically,malicious software, such as Trojan horses, viruses, or worms, could operate insuch a way as to disable a system or some of its services.• Corruption: This is an attack on system integrity. Malicious software in thiscontext could operate in such a way that system resources or services functionin an unintended manner. Or a user could gain unauthorized access toa system and modify some of its functions. An example of the latter is a userplacing backdoor logic in the system to provide subsequent access to a systemand its resources by other than the usual procedure.• Obstruction: One way to obstruct system operation is to interfere with communicationsby disabling communication links or altering communicationcontrol information. Another way is to overload the system by placing excessburden on communication traffic or processing resources.
11 Table 14.1 ----- Usurpation Threat Consequences, and the Types of Threat ActionsThat Cause Each Consequence(Based on RFC 2828)Usurpation is a threat to system integrity. The following types of attacks canresult in this threat consequence:• Misappropriation: This can include theft of service. An example is a distributeddenial of service attack, when malicious software is installed on a numberof hosts to be used as platforms to launch traffic at a target host. In this case,the malicious software makes unauthorized use of processor and operatingsystem resources.• Misuse: Misuse can occur either by means of malicious logic or a hacker thathas gained unauthorized access to a system. In either case, security functionscan be disabled or thwarted.
12 Scope of System Security The assets of a computer system can be categorized as hardware, software, data,and communication lines and networks. In this subsection, we briefly describe thesefour categories and relate these to the concepts of integrity, confidentiality, andavailability introduced in Section 14.1 (see Figure 14.2 and Table 14.2 ).
13 Examples of Threats to System Assets HARDWAREA major threat to computer system hardware is the threat toavailability. Hardware is the most vulnerable to attack and the least susceptible toautomated controls. Threats include accidental and deliberate damage to equipmentas well as theft. The proliferation of personal computers and workstations and thewidespread use of LANs increase the potential for losses in this area. Theft ofCD-ROMs and DVDs can lead to loss of confidentiality. Physical and administrativesecurity measures are needed to deal with these threats.SOFTWARESoftware includes the operating system, utilities, and applicationprograms. A key threat to software is an attack on availability. Software, especiallyapplication software, is often easy to delete. Software can also be altered ordamaged to render it useless. Careful software configuration management, whichincludes making backups of the most recent version of software, can maintain highavailability. A more difficult problem to deal with is software modification thatresults in a program that still functions but that behaves differently than before,which is a threat to integrity/authenticity. Computer viruses and related attacks fallinto this category. A final problem is protection against software piracy. Althoughcertain countermeasures are available, by and large the problem of unauthorizedcopying of software has not been solved.DATAHardware and software security are typically concerns of computing centerprofessionals or individual concerns of personal computer users. A much morewidespread problem is data security, which involves files and other forms of datacontrolled by individuals, groups, and business organizations.Security concerns with respect to data are broad, encompassing availability,secrecy, and integrity. In the case of availability, the concern is with the destructionof data files, which can occur either accidentally or maliciously.The obvious concern with secrecy is the unauthorized reading of data files ordatabases, and this area has been the subject of perhaps more research and effortthan any other area of computer security. A less obvious threat to secrecy involvesthe analysis of data and manifests itself in the use of so-called statistical databases,which provide summary or aggregate information. Presumably, the existence ofaggregate information does not threaten the privacy of the individuals involved.However, as the use of statistical databases grows, there is an increasing potentialfor disclosure of personal information. In essence, characteristics of constituentindividuals may be identified through careful analysis. For example, if one tablerecords the aggregate of the incomes of respondents A, B, C, and D and anotherrecords the aggregate of the incomes of A, B, C, D, and E, the difference betweenthe two aggregates would be the income of E. This problem is exacerbated by theincreasing desire to combine data sets. In many cases, matching several sets of datafor consistency at different levels of aggregation requires access to individual units.Thus, the individual units, which are the subject of privacy concerns, are available atvarious stages in the processing of data sets.Finally, data integrity is a major concern in most installations. Modificationsto data files can have consequences ranging from minor to disastrous.
14 Passive AttacksAttempts to learn or make use of information from the system but does not affect system resourcesAre in the nature of eavesdropping on, or monitoring of, transmissionsGoal of the attacker is to obtain information that is being transmittedDifficult to detect because they do not involve any alteration of the datais feasible to prevent the success of these attacks by means of encryptionEmphasis in dealing with passive attacks is on prevention rather than detectionNetwork security attacks can be classifiedas passive attacks and active attacks . A passive attack attempts to learn or makeuse of information from the system but does not affect system resources. An activeattack attempts to alter system resources or affect their operation.Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.The goal of the attacker is to obtain information that is being transmitted.Two types of passive attacks are release of message contents and traffic analysis.The concept of release of message contents , is easily understood. A telephoneconversation, an electronic mail message, and a transferred file may contain sensitiveor confidential information. We would like to prevent an opponent from learning thecontents of these transmissions.Traffic analysis is a more subtle form of passive attack. Suppose that we had away of masking the contents of messages or other information traffic so that opponents,even if they captured the message, could not extract the information fromthe message. The common technique for masking contents is encryption. If we hadencryption protection in place, an opponent might still be able to observe the patternof these messages. The opponent could determine the location and identity ofcommunicating hosts and could observe the frequency and length of messages beingexchanged. This information might be useful in guessing the nature of the communicationthat was taking place.Passive attacks are very difficult to detect because they do not involve anyalteration of the data. Typically, the message traffic is sent and received in an apparentlynormal fashion, and neither the sender nor the receiver is aware that a thirdparty has read the messages or observed the traffic pattern. However, it is feasibleto prevent the success of these attacks, usually by means of encryption. Thus, theemphasis in dealing with passive attacks is on prevention rather than detection.Types:release of message contentstraffic analysis
15 Active AttacksInvolve some modification of the data stream or the creation of a false streamFour categories:Replayinvolves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effectMasqueradetakes place when one entity pretends to be a different entityModification of messagessome portion of a legitimate message is altered, or messages are delayed or reordered, to produce an unauthorized effectDenial of serviceprevents or inhibits the normal use or management of communications facilitiesdisruption of an entire network either by disabling the network or by overloading it with messages so as to degrade performanceActive attacks involve some modification of the data stream or the creationof a false stream and can be subdivided into four categories: replay, masquerade,modification of messages, and denial of service.Replay involves the passive capture of a data unit and its subsequent retransmissionto produce an unauthorized effect.A masquerade takes place when one entity pretends to be a different entity. Amasquerade attack usually includes one of the other forms of active attack. For example,authentication sequences can be captured and replayed after a valid authenticationsequence has taken place, thus enabling an authorized entity with few privilegesto obtain extra privileges by impersonating an entity that has those privileges.Modification of messages simply means that some portion of a legitimatemessage is altered, or that messages are delayed or reordered, to produce anunauthorized effect. For example, a message stating, “Allow John Smith to read confidentialfile accounts ” is modified to say, “Allow Fred Brown to read confidentialfile accounts .”The denial of service prevents or inhibits the normal use or management ofcommunications facilities. This attack may have a specific target; for example, anentity may suppress all messages directed to a particular destination (e.g., the securityaudit service). Another form of service denial is the disruption of an entire network,either by disabling the network or by overloading it with messages so as to degradeperformance.Active attacks present the opposite characteristics of passive attacks. Whereaspassive attacks are difficult to detect, measures are available to prevent their success.On the other hand, it is quite difficult to prevent active attacks absolutely,because to do so would require physical protection of all communications facilitiesand paths at all times. Instead, the goal is to detect them and to recover from anydisruption or delays caused by them. Because the detection has a deterrent effect, itmay also contribute to prevention.
16 Intruder Behavior Patterns Hackers: usually in it for fun and status, not necessarily looking for financial gainCriminals: organized, efficient, may have a social or financial objectiveInternal threats: Employees, usually – may have a grudge against the company.See page 617 for more details
17 Malware General term for any malicious software Software designed to cause damage to or use up the resources of a target computerFrequently concealed within or masquerades as legitimate softwareIn some cases it spreads itself to other computers via or infected discsThe concept of malicious software, or malware, was introduced in Section Malwareis software designed to cause damage to or use up the resources of a target computer.It is frequently concealed within or masquerades as legitimate software. In some cases,it spreads itself to other computers via or infected discs. The terminology in thisarea presents problems because of a lack of universal agreement on all of the termsand because some of the categories overlap. Table 14.4 is a useful guide.In this section, we briefly survey some of the key categories of malicious software,deferring discussion on the key topics of viruses, worms, bots, and rootkitsuntil the following sections.
18 Table 14.4 Terminology of Malicious Programs Table 14.4 is a useful guide of Malicious Programs.
19 Backdoor Also known as a trapdoor A secret entry point into a program that allows someone to gain access without going through the usual security access proceduresA maintenance hook is a backdoor that programmers use to debug and test programsBecome threats when unscrupulous programmers use them to gain unauthorized accessIt is difficult to implement operating system controls for backdoorsA backdoor , also known as a trapdoor , is a secret entry point into a programthat allows someone who is aware of the backdoor to gain access without goingthrough the usual security access procedures. Programmers have used backdoorslegitimately for many years to debug and test programs; such a backdoor is calleda maintenance hook . This usually is done when the programmer is developing anapplication that has an authentication procedure, or a long setup, requiring the userto enter many different values to run the application. To debug the program, thedeveloper may wish to gain special privileges or to avoid all the necessary setup andauthentication. The programmer may also want to ensure that there is a method ofactivating the program should something be wrong with the authentication procedurethat is being built into the application. The backdoor is code that recognizessome special sequence of input or is triggered by being run from a certain user ID orby an unlikely sequence of events.Backdoors become threats when unscrupulous programmers use them togain unauthorized access. The backdoor was the basic idea for the vulnerabilityportrayed in the movie War Games . Another example is that during the developmentof Multics, penetration tests were conducted by an Air Force “tiger team”(simulating adversaries). One tactic employed was to send a bogus operating systemupdate to a site running Multics. The update contained a Trojan horse (describedlater) that could be activated by a backdoor and that allowed the tiger team to gainaccess. The threat was so well implemented that the Multics developers could notfind it, even after they were informed of its presence [ENGE80].It is difficult to implement operating system controls for backdoors. Securitymeasures must focus on the program development and software update activities.
20 Logic Bomb One of the oldest types of program threat Code embedded in some legitimate program that is set to “explode” when certain conditions are metOnce triggered a bomb may alter or delete data or entire files, cause a machine halt, or do some other damageOne of the oldest types of program threat, predating viruses and worms, is the logicbomb. The logic bomb is code embedded in some legitimate program that is set to“explode” when certain conditions are met. Examples of conditions that can be usedas triggers for a logic bomb are the presence or absence of certain files, a particularday of the week or date, or a particular user running the application. Once triggered,a bomb may alter or delete data or entire files, cause a machine halt, or do someother damage. A striking example of how logic bombs can be employed was thecase of Tim Lloyd, who was convicted of setting a logic bomb that cost his employer,Omega Engineering, more than $10 million, derailed its corporate growth strategy,and eventually led to the layoff of 80 workers [GAUD00]. Ultimately, Lloyd wassentenced to 41 months in prison and ordered to pay $2 million in restitution.
21 Trojan HorseUseful, or apparently useful, program or command procedure that contains hidden code that, when invoked, performs some unwanted or harmful functionTrojan horses fit into one of three models:continuing to perform the function of the original program and additionally performing a separate malicious activitycontinuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activityperforming a malicious function that completely replaces the function of the original programA Trojan horse is a useful, or apparently useful, program or command procedurecontaining hidden code that, when invoked, performs some unwanted or harmfulfunction.Trojan horse programs can be used to accomplish functions indirectly that anunauthorized user could not accomplish directly. For example, to gain access to thefiles of another user on a shared system, a user could create a Trojan horse programthat, when executed, changes the invoking user’s file permissions so that the filesare readable by any user. The author could then induce users to run the program byplacing it in a common directory and naming it such that it appears to be a usefulutility program or application. An example is a program that ostensibly producesa listing of the user’s files in a desirable format. After another user has run theprogram, the author of the program can then access the information in the user’sfiles. An example of a Trojan horse program that would be difficult to detect is acompiler that has been modified to insert additional code into certain programs asthey are compiled, such as a system login program [THOM84]. The code creates abackdoor in the login program that permits the author to log on to the system usinga special password. This Trojan horse can never be discovered by reading the sourcecode of the login program.Another common motivation for the Trojan horse is data destruction. Theprogram appears to be performing a useful function (e.g., a calculator program),but it may also be quietly deleting the user’s files. For example, a CBS executivewas victimized by a Trojan horse that destroyed all information contained in hiscomputer’s memory [TIME90]. The Trojan horse was implanted in a graphics routineoffered on an electronic bulletin board system.Trojan horses fit into one of three models:• Continuing to perform the function of the original program and additionallyperforming a separate malicious activity• Continuing to perform the function of the original program but modifying thefunction to perform malicious activity (e.g., a Trojan horse version of a loginprogram that collects passwords) or to disguise other malicious activity (e.g., aTrojan horse version of a process listing program that does not display certainprocesses that are malicious)• Performing a malicious function that completely replaces the function of theoriginal program
23 Multiple-Threat Malware Infects in multiple waysTypically the multipartite virus is capable of infecting multiple types of filesA blended attack uses multiple methods of infection or transmission to maximize the speed of contagion and the severity of the attackAn example of a blended attack is the Nimda attackViruses and other malware may operate in multiple ways. The terminology is farfrom uniform; this subsection gives a brief introduction to several related conceptsthat could be considered multiple-threat malware.A multipartite virus infects in multiple ways. Typically, the multipartite virusis capable of infecting multiple types of files, so that virus eradication must deal withall of the possible sites of infection.A blended attack uses multiple methods of infection or transmission, to maximizethe speed of contagion and the severity of the attack. Some writers characterizea blended attack as a package that includes multiple types of malware. An exampleof a blended attack is the Nimda attack, erroneously referred to as simply a worm.Nimda uses four distribution methods:• A user on a vulnerable host opens an infected attachment;Nimda looks for addresses on the host and then sends copies of itself tothose addresses.Windows shares: Nimda scans hosts for unsecured Windows file shares; it canthen use NetBIOS86 as a transport mechanism to infect files on that host inthe hopes that a user will run an infected file, which will activate Nimda onthat host.• Web servers: Nimda scans Web servers, looking for known vulnerabilities inMicrosoft IIS. If it finds a vulnerable server, it attempts to transfer a copy ofitself to the server and infect it and its files.• Web clients: If a vulnerable Web client visits a Web server that has beeninfected by Nimda, the client’s workstation will become infected.Thus, Nimda has worm, virus, and mobile code characteristics. Blended attacksmay also spread through other services, such as instant messaging and peer-to-peerfile sharing.Windows sharesWeb serversWeb clientsNimda uses four distribution methods:
24 Viruses Software that “infects” other programs by modifying them carries instructional code to self duplicatebecomes embedded in a program on a computerwhen the infected computer comes into contact with an uninfected piece of software, a fresh copy of the virus passes into the new programinfection can be spread by swapping disks from computer to computer or through a networkA computer virus has three parts:an infection mechanismtriggerpayloadA computer virus is a piece of software that can “infect” other programs by modifyingthem; the modification includes injecting the original program with a routine tomake copies of the virus program, which can then go on to infect other programs.Biological viruses are tiny scraps of genetic code—DNA or RNA—that cantake over the machinery of a living cell and trick it into making thousands of flawlessreplicas of the original virus. Like its biological counterpart, a computer viruscarries in its instructional code the recipe for making perfect copies of itself. Thetypical virus becomes embedded in a program on a computer. Then, whenever theinfected computer comes into contact with an uninfected piece of software, a freshcopy of the virus passes into the new program. Thus, the infection can be spreadfrom computer to computer by unsuspecting users who either swap disks or sendprograms to one another over a network. In a network environment, the abilityto access applications and system services on other computers provides a perfectculture for the spread of a virus.A virus can do anything that other programs do. Theonly difference is that it attaches itself to another program and executes secretlywhen the host program is run. Once a virus is executing, it can perform any functionthat is allowed by the privileges of the current user, such as erasing files andprograms.A computer virus has three parts [AYCO06]:• Infection mechanism : The means by which a virus spreads, enabling it to replicate.The mechanism is also referred to as the infection vector .• Trigger: The event or condition that determines when the payload is activatedor delivered.• Payload: What the virus does, besides spreading. The payload may involvedamage or may involve benign but noticeable activity.
25 Virus Phases Execution Phase the function is performed Dormant Phasethe virus is idlewill eventually be activated by some eventnot all viruses have this stagePropagation Phasethe virus places an identical copy of itself into other programs or into certain system areas on the diskTriggering Phasethe virus is activated to perform the function for which it was intendedtriggering phase can be caused by a variety of system eventsExecution Phasethe function is performedthe function may be harmless (message on screen) or damaging (destruction of programs and data files)During its lifetime, a typical virus goes through the following four phases:• Dormant phase: The virus is idle. The virus will eventually be activated bysome event, such as a date, the presence of another program or file, or thecapacity of the disk exceeding some limit. Not all viruses have this stage.• Propagation phase: The virus places an identical copy of itself into other programsor into certain system areas on the disk. Each infected program willnow contain a clone of the virus, which will itself enter a propagation phase.• Triggering phase: The virus is activated to perform the function for which itwas intended. As with the dormant phase, the triggering phase can be causedby a variety of system events, including a count of the number of times thatthis copy of the virus has made copies of itself.• Execution phase: The function is performed. The function may be harmless,such as a message on the screen, or damaging, such as the destruction ofprograms and data files.Most viruses carry out their work in a manner that is specific to a particularoperating system and, in some cases, specific to a particular hardware platform. Thus,they are designed to take advantage of the details and weaknesses of particularsystems.
26 Virus Classification Boot sector infector File infector Macro virus There is no universally agreed upon classification scheme for virusesClassification by target includes the following categories:Boot sector infectorinfects a master boot record or boot record and spreads when a system is booted from the disk containing the virusFile infectorinfects files that the operating system or shell consider to be executableMacro virusinfects files with macro code that is interpreted by an applicationThere has been a continuous arms race between viruswriters and writers of antivirus software since viruses first appeared. As effectivecountermeasures are developed for existing types of viruses, newer types aredeveloped. There is no simple or universally agreed upon classification schemefor viruses. In this section, we follow [AYCO06] and classify viruses along twoorthogonal axes: the type of target the virus tries to infect, and the method thevirus uses to conceal itself from detection by users and antivirus software.A virus classification by target includes the following categories:• Boot sector infector: Infects a master boot record or boot record and spreadswhen a system is booted from the disk containing the virus• File infector: Infects files that the operating system or shell consider to beexecutable• Macro virus : Infects files with macro code that is interpreted by an application
27 Concealment StrategyA virus classification by concealment strategy includes:Encrypted virusrandom encryption key encrypts remainder of virusStealth virushides itself from detection of antivirus softwarePolymorphic virusmutates with every infectionmutation engine is the portion of the virus that is responsible for generating keys and performing encryption/decryptionMetamorphic virusrewrites itself completely after every iterationA virus classification by concealment strategy includes the following categories:• Encrypted virus: A typical approach is as follows. A portion of the viruscreates a random encryption key and encrypts the remainder of the virus.The key is stored with the virus. When an infected program is invoked, thevirus uses the stored random key to decrypt the virus. When the virus replicates,a different random key is selected. Because the bulk of the virus isencrypted with a different key for each instance, there is no constant bitpattern to observe.Stealth virus: A form of virus explicitly designed to hide itself from detectionby antivirus software. Thus, the entire virus, not just a payload is hidden.• Polymorphic virus: A virus that mutates with every infection, making detectionby the “signature” of the virus impossible.• Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutateswith every infection. The difference is that a metamorphic virus rewrites itselfcompletely at each iteration, increasing the difficulty of detection. Metamorphicviruses may change their behavior as well as their appearance.One example of a stealth virus was discussed earlier: A virus that uses compressionso that the infected program is exactly the same length as an uninfectedversion. Far more sophisticated techniques are possible. For example, a virus canplace intercept logic in disk I/O routines, so that when there is an attempt to readsuspected portions of the disk using these routines, the virus will present back theoriginal, uninfected program. Thus, stealth is not a term that applies to a virus assuch but, rather, refers to a technique used by a virus to evade detection.A polymorphic virus creates copies during replication that are functionallyequivalent but have distinctly different bit patterns. As with a stealth virus, thepurpose is to defeat programs that scan for viruses. In this case, the “signature” ofthe virus will vary with each copy. To achieve this variation, the virus may randomlyinsert superfluous instructions or interchange the order of independent instructions.A more effective approach is to use encryption. The strategy of the encryptionvirus is followed. The portion of the virus that is responsible for generating keys andperforming encryption/decryption is referred to as the mutation engine . The mutationengine itself is altered with each use.
28 VirusesThe first rapidly spreading viruses made use of a Microsoft Word macro embedded in an attachmentIn 1999 a newer, more powerful version of the virus appearedcan be activated merely by opening an that contains the virus rather than opening an attachmentthe virus uses the Visual Basic scripting language supported by the packageIf the recipient opens the attachment the Word macro is activatedthe virus sends itself to everyone on the mailing list in the user’s packagethe virus does local damage on the user’s systemA more recent development in malicious software is thevirus. The first rapidly spreading viruses, such as Melissa, made use ofa Microsoft Word macro embedded in an attachment. If the recipient opens theattachment, the Word macro is activated. Then1. The virus sends itself to everyone on the mailing list in the user’spackage.2. The virus does local damage on the user’s system.In 1999, a more powerful version of the virus appeared. This newerversion can be activated merely by opening an that contains the virus ratherthan opening an attachment. The virus uses the Visual Basic scripting languagesupported by the package.Thus we see a new generation of malware that arrives via and usessoftware features to replicate itself across the Internet. The virus propagatesitself as soon as it is activated (either by opening an attachment or byopening the ) to all of the addresses known to the infected host. As aresult, whereas viruses used to take months or years to propagate, they now do soin hours. This makes it very difficult for antivirus software to respond before muchdamage is done. Ultimately, a greater degree of security must be built into Internetutility and application software on PCs to counter the growing threat.
29 WormsA program that can replicate itself and send copies from computer to computer across network connectionsUpon arrival the worm may be activated to replicate and propagate againIn addition to propagation the worm usually performs some unwanted functionActively seeks out more machines to infect and each machine that is infected serves as an automate launching pad for attacks on other machinesA worm is a program that can replicate itself and send copies from computer tocomputer across network connections. Upon arrival, the worm may be activated toreplicate and propagate again. In addition to propagation, the worm usually performssome unwanted function. An virus has some of the characteristics of a wormbecause it propagates itself from system to system. However, we can still classify it as avirus because it uses a document modified to contain viral macro content and requireshuman action. A worm actively seeks out more machines to infect and each machinethat is infected serves as an automated launching pad for attacks on other machines.Network worm programs use network connections to spread from system tosystem. Once active within a system, a network worm can behave as a computervirus or bacteria, or it could implant Trojan horse programs or perform any numberof disruptive or destructive actions.
30 Worm Propagation Electronic mail facility Remote execution capability To replicate itself a network worm uses some sort of network vehiclea worm mails a copy of itself to other systems so that its code is run when the or an attachment is received or viewedElectronic mail facilitya worm executes a copy of itself on another system either using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operationsRemote execution capabilitya worm logs on to a remote system as a user and then uses commands to copy itself from one system to the otherRemote log-in capabilityTo replicate itself, a network worm uses some sort of network vehicle.Examples include the following:• Electronic mail facility: A worm mails a copy of itself to other systems, so thatits code is run when the or an attachment is received or viewed.• Remote execution capability: A worm executes a copy of itself on anothersystem, either using an explicit remote execution facility or by exploiting aprogram flaw in a network service to subvert its operations (such as bufferoverflow, described in Chapter 7 ).• Remote login capability: A worm logs on to a remote system as a user andthen uses commands to copy itself from one system to the other, where it thenexecutes.The new copy of the worm program is then run on the remote system where, inaddition to any functions that it performs at that system, it continues to spread inthe same fashion.A network worm exhibits the same characteristics as a computer virus: adormant phase, a propagation phase, a triggering phase, and an execution phase.The propagation phase generally performs the following functions:1. Search for other systems to infect by examining host tables or similar repositoriesof remote system addresses.2. Establish a connection with a remote system.3. Copy itself to the remote system and cause the copy to be run.The network worm may also attempt to determine whether a system has previouslybeen infected before copying itself to the system. In a multiprogrammingsystem, it may also disguise its presence by naming itself as a system process or usingsome other name that may not be noticed by a system operator.As with viruses, network worms are difficult to counter.
31 BotsA program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the bot’s creatoralso known as a Zombie or droneTypically planted on hundreds or thousands of computers belonging to unsuspecting third partiesCollection of bots acting in a coordinated manner is a botnetA botnet exhibits three characteristics:the bot functionalitya remote control facilitya spreading mechanism to propagate the bots and construct the botnetA bot (robot), also known as a zombie or drone, is a program that secretly takesover another Internet-attached computer and then uses that computer to launchattacks that are difficult to trace to the bot’s creator. The bot is typically planted onhundreds or thousands of computers belonging to unsuspecting third parties. Thecollection of bots often is capable of acting in a coordinated manner; such a collectionis referred to as a botnet .A botnet exhibits three characteristics: the bot functionality, a remote controlfacility, and a spreading mechanism to propagate the bots and construct the botnet.We examine each of these characteristics in turn.
32 Uses of Bots Distributed denial-of-service (DDoS) attacks Spreading new malwarebotnets are used to spread new botsInstalling advertisement add-ons and browser helper objects (BHOs)set up a fake Web site and negotiate a deal with hosting companies that pay for clicks on adsAttacking Internet Relay chat (IRC) chat networksvictim is flooded with requests, bringing down the IRC network; similar to a DDoS attackManipulating online polls/gamesevery bot has a distinct IP address so it appears to be a real personDistributed denial-of-service (DDoS) attackscauses a loss of service to usersSpammingsending massive amounts of bulk (spam)Sniffing traffica packet sniffer is used to retrieve sensitive information like user names and passwordsKeyloggingcaptures keystrokesUsesofUSES OF BOTS [HONE05] lists the following uses of bots:• Distributed denial-of-service (DDoS) attacks : A DDoS attack is an attack ona computer system or network that causes a loss of service to users.• Spamming: With the help of a botnet and thousands of bots, an attacker is ableto send massive amounts of bulk (spam).• Sniffing traffic: Bots can also use a packet sniffer to watch for interesting cleartextdata passing by a compromised machine. The sniffers are mostly used toretrieve sensitive information like usernames and passwords.• Keylogging: If the compromised machine uses encrypted communicationchannels (e.g., HTTPS or POP3S), then just sniffing the network packets onthe victim’s computer is useless because the appropriate key to decrypt thepackets is missing. But by using a keylogger, which captures keystrokes on theinfected machine, an attacker can retrieve sensitive information. An implementedfiltering mechanism (e.g., “I am only interested in key sequences nearthe keyword ‘paypal.com’ ”) further helps in stealing secret data.• Spreading new malware: Botnets are used to spread new bots. This is veryeasy since all bots implement mechanisms to download and execute a file viaHTTP or FTP. A botnet with 10,000 hosts that acts as the start base for aworm or mail virus allows very fast spreading and thus causes more harm.• Installing advertisement add-ons and browser helper objects (BHOs): Botnetscan also be used to gain financial advantages. This works by setting up a fakeWeb site with some advertisements: The operator of this Web site negotiates adeal with some hosting companies that pay for clicks on ads. With the help ofa botnet, these clicks can be “automated” so that instantly a few thousand botsclick on the pop-ups. This process can be further enhanced if the bot hijacksthe start page of a compromised machine so that the “clicks” are executedeach time the victim uses the browser.• Attacking IRC chat networks: Botnets are also used for attacks againstInternet Relay Chat (IRC) networks. Popular among attackers is especiallythe so-called clone attack: In this kind of attack, the controller orders each botto connect a large number of clones to the victim IRC network. The victim isflooded by service requests from thousands of bots or thousands of channeljoinsby these cloned bots. In this way, the victim IRC network is broughtdown, similar to a DDoS attack.Manipulating online polls/games: Online polls/games are getting more andmore attention, and it is rather easy to manipulate them with botnets. Sinceevery bot has a distinct IP address, every vote will have the same credibilityas a vote cast by a real person. Online games can be manipulated in asimilar way.Bots
33 Remote Control Facility Distinguishes a bot from a worma worm propagates and activates itself, whereas a bot is controlled from some central facilityA typical means of implementing the remote control facility is on an IRC serverall bots join a specific channel on this server and treat incoming messages as commandsMore recent botnets tend to use covert communication channels via protocols such as HTTPDistributed control mechanisms are also used to avoid a single point of failureThe remote control facility is what distinguishes abot from a worm. A worm propagates itself and activates itself, whereas a bot iscontrolled from some central facility, at least initially.A typical means of implementing the remote control facility is on an IRCserver. All bots join a specific channel on this server and treat incoming messagesas commands. More recent botnets tend to avoid IRC mechanisms and use covertcommunication channels via protocols such as HTTP. Distributed control mechanismsare also used, to avoid a single point of failure.Once a communications path is established between a control module and thebots, the control module can activate the bots. In its simplest form, the control modulesimply issues command to the bot that causes the bot to execute routines thatare already implemented in the bot. For greater flexibility, the control module canissue update commands that instruct the bots to download a file from some Internetlocation and execute it. The bot in this latter case becomes a more general-purposetool that can be used for multiple attacks.
34 RootkitSet of programs installed on a system to maintain administrator (or root) access to that systemRoot access provides access to all the functions and services of the operating systemThe rootkit alters the host’s standard functionality in a malicious and stealthy waywith root access an attacker has complete control of the system and can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demandA rootkit hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computerA rootkit is a set of programs installed on a system to maintain administrator (orroot) access to that system. Root access provides access to all the functions andservices of the operating system. The rootkit alters the host’s standard functionalityin a malicious and stealthy way. With root access, an attacker has complete controlof the system and can add or change programs and files, monitor processes, sendand receive network traffic, and get backdoor access on demand.A rootkit can make many changes to a system to hide its existence, makingit difficult for the user to determine that the rootkit is present and to identifywhat changes have been made. In essence, a rootkit hides by subverting themechanisms that monitor and report on the processes, files, and registries on acomputer.
35 System-Level Call Attacks Programs operating at the user level interact with the kernel through system callsIn Linux each system call is assigned a unique syscall numberThree techniques that can be used to change system calls:modify the system call tablemodify system call table targetsredirect the system call tableSystem-Level Call AttacksPrograms operating at the user level interact with the kernel through system calls.Thus, system calls are a primary target of kernel-level rootkits to achieve concealment.As an example of how rootkits operate, we look at the implementation ofsystem calls in Linux. In Linux, each system call is assigned a unique syscall number .When a user-mode process executes a system call, the process refers to the systemcall by this number. The kernel maintains a system call table with one entry persystem call routine; each entry contains a pointer to the corresponding routine. Thesyscall number serves as an index into the system call table.[LEVI06] lists three techniques that can be used to change system calls:• Modify the system call table: The attacker modifies selected syscall addressesstored in the system call table. This enables the rootkit to direct a system callaway from the legitimate routine to the rootkit’s replacement. Figure 14.6shows how the knark rootkit achieves this.• Modify system call table targets: The attacker overwrites selected legitimatesystem call routines with malicious code. The system call table is not changed.Redirect the system call table: The attacker redirects references to the entiresystem call table to a new table in a new kernel memory location.
36 SummaryComputer security is the protection afforded to an information system to preserve system resourcesCIA triad is confidentiality, integrity, availability; the fundamental security objectivesThreat consequences: unauthorized disclosure, deception, disruption, usurpationVirus – a piece of software that can infect and modify other programs; three parts are infection mechanism, trigger, and payloadA strategy for locating and identifying vulnerable machines is scanning or fingerprintingRootkit a set of programs installed on a system to maintain administrator access to that systemComputer and network assets: hardware, software, data, communication linesNetwork security attacks can be classified as passive attacks and active attacksIntruders: hackers, criminals, insider attacksMalware – malicious softwareBackdoor – a secret entry pointWorm – a program that can replicate itself across a networkA program that secretly takes over another Internet-attached computer and uses it to launch attacks is a botChapter 14 summary.